https access to remote OpenVPN clients via OpenVPn server

The situation:
I have a number of OpenWRT (Linux distro for embedded devices) based routers out there, which I manage via Ubuntu 8.04 LINUX server they all connect to. The Ubuntu server has a public IP address, the router do not. To be able to address them the Ubuntu server is running an OpenVPN server, the routers connect to the server on start-up. I can ping and ssh into the routers from my server - no problem.

What I want to achieve:
The routers have a web GUI which is accessed via normal http. I would like to connect remotely to the routers' web interface through a browser. I would like to do so without having to have OpenVPN installed on the accessing PC/workstation. This would obviously have to work through the Ubuntu server, as only the Ubuntu server with the OpenVPN server has any knowledge of the OpenVPN network and clients.

I figure this should be possible with port and/or IP forwarding, once I am connected via http or https to the Ubuntu server, but I do not understand enough about networking to make this happen.

151 readers and no one has any idea how this could be achieved? Come on folks, you are better, than that. Can anyone give me a hint how this could be achieved? should something like this not be possible with ip forwarding and masquerading?

Hello, I can give a solution to you, but since you gave relatively little info about the configuration of the network, I'll assume some things.
So, assuming that your Ubuntu server is a gateway between Internet and some local network(the IPs of the VPN are also "private" IPs), this meaning that an iptables nat/masquerade script is running on the server, you can use "iptables" to make your OpenWRT routers' web interfaces available from outside.

For illustrating the solution, I'll consider that your OpenWRT routers have IPs of the form 10.1.99.*, and that your Ubuntu server is accesible from Internet with, let's say "my-ubuntu-server.org" host name. I'm also assuming that you'd need access to web-interface of two of your routers, with IPs 10.1.99.10 and 10.1.99.20
In the firewall script, add the following lines:

The variable IP_INET should contain the public IP of your Ubuntu server(the IP that ISP gave to you), and the variable IP_LAN should contain the private IP of your Ubuntu server(the IP of the gateway used by your internal network hosts).

After you'll run the firewall script modified as shown above, you should be able to connect to your web-interfaces of your routers, by simply pointing a web-browser to:http://my-ubuntu-server.org:5678
(your first OpenWRT router, with 10.1.99.10 vpn ip)

)
And..uhmm..one last notice:
The variable IPTABLES used in the post above can be replace with your /sbin/iptables(very possible to be exact) program on your Ubuntu server.
Too much bash scripting from me

Thanks for the response. This describes a scenario similar to what I am looking for. Well, I thought I was reasonably clear, but may be I was not.

So here is a diagram of the network setup and a second diagram of the request handling I am thinking of. Don't worry about the iptables magic that has to happen on the router. There is tons of info out there on that, so that I can handle.

But what has to be configured with IPTABLES or otherwise on the Ubuntu server (the one in the middel of the diagram with address 1.2.3.4)? Does the setup shown in the diagrams require a change in the solution proposed above? I should think so, but what does it look like?

Right?
I am not sure why I need this rule, so would appreciate some enlightenment. And why is there no FORWARD rule? The noob I am in this I would have assumed I need a FORWARD rule to , well, basically forward. Is that not so? and why not?
and with

you totally surpas my understanding. What is that rule achieving? And since there is no local network involved there is no sensible value for $IP_LAN I can make out in my own mind. Does that mean this rule is superflous for my scenario?

Thanks again for bothering to respond. I would be greatful, if you could stick with me and maybe I am a bit clearer on what I am trying to achieve now, so you can give some further advice.

The line above works when the server(Ubuntu server in your case) is a gateway between a LAN and the Internet. And the role of the line is to provide what is called "complete forwarding", meaning that a specific port forward is available from outside as well as from the LAN behind the server.
Since you don't have a LAN behind your Ubuntu server, you can IGNORE that line completely! Don't think about it anymore...

So, with the information that you provided, I can say that the solution you created, by replacing the generic port numbers I gave with your port numbers, is CORRECT!
I'll list it once again, for the sake of completness

Put this in a text file, make that file executable, execute it as a bash script, and the connection to your OpenWRT router 10.8.x.b:8080 should work from a remote PC by typing "http://1.2.3.4:u" in your browser.

Add a pair of iptabes for each router, be sure you modify the "u" port and 10.8.x.x IPs to be different for each router, and you'll be able to manage all your routers remotely!

I have tried to implement it, but ran into problems getting these two new rules into the Bastille firewall manager (see here). So for the moment I cannot really give feedback but I will be in touch once I can test the solution. I will be in touch ...

Hello again!
I'm surprised it didn't worked. I managed to forward a port from a real IP to a VPN station, by adding those two iptables rules to the existing firewall script.
Did you specifically check that the rules were written syntactically correct, and that they can be seen with "iptables -t nat -L" ?
What's the default policy of iptables, on your Ubuntu system? (ACCEPT or DENY/DROP)

For now, I think that checking the stuff i've written above could be helpful.
If the stuff it's correct, and forward still dont work maybe you should begin traffic analysis.
For this, I recommend the following tools: tcpdump(it's a command line tool) or wireshark(aka ethereal), which is a GUI tool.

And, as an alternative solution for forwarding, you can use ssh, or putty. There are tutorials on the Internet about this topic.
Good luck!

I can now offer a better solution that is based on a script from the Bastille guys as well (see code below). What I added was the MASQUERADE rule and the switch that ensures that port forwarding is actually activated on your LINUX server (tested for Ubuntu/Debian, please check with your LINUX distro the same switch exists in the same location or adjust the script accordingly in the line starting with "echo 1 > ...". Other than being fully compliant with iptables and Bastille the script offers the additional advantage that only port forwarding for explicitly specificied ports is opened, as opposed to the entire tun+ interfaces as was done in my solution. Here goes:

Now copy all the following code into the file portforward.sh
The magic is happening in the lines under item 1. Adjust to suit your port forwarding needs. The explanation in the script should be quite sufficient. This script should be able to handle port forwarding within your network, to connected VPN networks, and to external servers (the latter may require the activation of another line in the script under section0 in some cases).

Hello!
Long time no hear from you!
Excuse me for too much silence regarding this post!
All began with you asking for help in the forwarding matter, me trying to help, and in the end...you helped me!

So, regarding your first solution:
-you added the MASQUERADE rule for the outgoing packages, so they can find their way back! Correct! I forgot about this in my proposed solution (I guess I considered it enabled by default)